Mac Trojan infects machines through Microsoft Office exploit

16 Apr 2012

A new OSX Trojan has been discovered – called Backdoor.OSX.SabPub.a – which uses a Java exploit which bypasses malware detection programs. It comes after the discovery of the Flashback Trojan this month.

According to Kaspersky Lab, the Trojan connects to a command and control server and uses a Java exploit with an obfuscator to bypass malware detection programmes. Its command and control server is hosted on a VPS in Freemont in the US.

Costin Raiu, Kasperky Lab expert, said the exploit is being spread through infected Microsoft Office Word documents. It’s linked to the advanced persistent threat (APT) attacks known as Luckycat.

Raiu said attackers took over Kasperky Lab’s ‘goat’ infected machine and began to analyse it. It listed the contents of its root and home folders and stole documents placed in there.

Two variants of the Trojan have been discovered, one of which was created in February 2012. The second variant’s original file name was ‘10th March Statemnet’ (sic) which related to a special statement given by the Dalai Lama on 10 March 2011 pertaining to the Tibetan community. As a result, it’s believed the Trojan could be targeting Tibetan activists.

It’s the latest Mac Trojan discovered this month. Earlier, the Flashback Trojan was discovered and infected 600,000 Macs worldwide. Apple has since released software to detect and combat the Flashback Trojan.